The ThreatFox: Vidar IOCs rule detects potential data exfiltration and lateral movement by identifying outbound traffic to known Vidar command-and-control domains. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises and prevent credential theft and network spread.
IOC Summary
Malware Family: Vidar Total IOCs: 3 IOC Types: url, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://paradisefitnesscity.com/ | payload_delivery | 2026-05-08 | 75% |
| domain | mpd.hidayahnetwork.com | botnet_cc | 2026-05-08 | 100% |
| url | hxxps://mpd.hidayahnetwork.com/ | botnet_cc | 2026-05-08 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Vidar
let malicious_domains = dynamic(["mpd.hidayahnetwork.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Vidar
let malicious_urls = dynamic(["https://paradisefitnesscity.com/", "https://mpd.hidayahnetwork.com/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using a known Vidar IOC domain
Description: A scheduled job in PowerShell or Task Scheduler is configured to use a domain listed in the Vidar IOC list as part of a legitimate service or API call.
Filter/Exclusion: Check for process.name = schtasks.exe or powershell.exe with a known legitimate command-line argument or script path. Exclude domains associated with known legitimate services.
Scenario: Admin using a Vidar IOC domain for legitimate remote access
Description: An administrator uses a domain listed in the Vidar IOC list as part of a legitimate remote access setup, such as Microsoft Remote Desktop or TeamViewer, for secure remote management.
Filter/Exclusion: Filter by user.domain = internal.corp or user.name containing admin credentials. Exclude traffic to domains used by known remote access tools.
Scenario: False positive from a legitimate phishing training exercise
Description: A simulated phishing email sent by the security team includes a URL to a domain listed in the Vidar IOC list as part of a red team exercise.
Filter/Exclusion: Check for email.sender in the security team’s internal email addresses or email.subject containing “phishing simulation” or “training”. Exclude URLs with query parameters indicating a test environment.
Scenario: Legitimate outbound traffic from a cloud service using a Vidar IOC domain
Description: A cloud service like AWS S3 or Azure Blob Storage uses a domain listed in the Vidar IOC list for legitimate data transfer or API calls.
Filter/Exclusion: Filter by process.name = aws-cli or az and check for known cloud service endpoints. Exclude traffic to domains that match known cloud service patterns.
**Scenario: